The Art of Cybersecurity

Strategery

Many moons ago, I had the onerous task of taking a Security+ certification test.  I passed by the skin of my teeth and have dreaded the thought of taking it again.  Luckily for me, there are ways to validate your continued work in the cybersecurity field to extend how long your certification lasts.  Unluckily for you, one of those measures is via writing a blog post on some topic related to cybersecurity. 

What will follow is the first of several Wanderings on all things cyber—with a twist.  I will find and increasingly stretch bizarre metaphors to fit various cybersecurity and cyber warfare concepts in the hope that the Lords of Certification grace me with their Continuing Education Units so I don’t have to endure the gauntlet of that test again.  So without further adueu, I present for your consideration cybersecurity as told by a man who proceeded it by roughly 2500 years—Sun Tzu.

I’d wager a decent percentage of the world has at least heard the term “the Art of War”, and a sizable chunk of that likely knows it references a book.  These days, you’re more likely to hear it referenced in a board room by some suit instead of on a battlefield.  And just like those overpaid consultants or motivational speakers, I will crib some of his ancient wisdom on strategy and force those round pegs into cyber-shaped holes.  Let’s begin!

*Note: there are as many translations of Sun Tzu as there are ways to trick people into giving you their email passwords.  The ones I’m using meet the general intent, but likely lack some of the finesse the author initially intended*

Quote #1: The general who wins the battle makes many calculations before the battle is fought.  The general who loses makes but few.

When considering cybersecurity, one must always acknowledge that every day brings a shifting battlefield with no guarantee of safety.  The Internet is a dangerous place, rife with hostile and malicious actors that earn their keep by ruining yours.  Worse yet, there are legions of automated tools out there that constantly troll through systems connected to the Internet, just waiting for some known vulnerability to exploit.  Why would you ever approach such a situation blind?

Preparation is key to success in cybersecurity.  In this, the attacker almost always has the advantage.  To exploit a system, all the attacker needs is one vulnerability to leverage, while the defender must consistently prove effective day after unending day.  Not only that, but the attacker has decades worth of exploits and vulnerabilities to lean on, any one of which going unpatched leaves the virtual gates unlocked.  Recognizing this means the defender knows they are in for a grind, and must come prepared accordingly.  Researching various malware defense software (or companies, depending on the scale you operate at), purchasing trustworthy equipment secure from supply interdiction efforts, training yourself and employees on how to identify social engineering attempts—all of these are key to a defenders successful preparation.

Quote #2: The art of war teaches us to rely not on the likelihood of the enemy’s not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable.

The need for preparation from Quote #1 stems from the certainty that the adversary will come for your network.  You may be a Fortune 500 company, a local business catering to potato sculpture enthusiasts, or just a blogger screaming into the void, but you are all equal in this: you are a target.  If your cybersecurity stance consists of hoping that they’ll pass you over, I wish you luck when the next NotPetya rolls through your system like a rampaging horde of Huns.

Acknowledging that you are a target shifts the conversation from “will I be attacked” to “how will I mitigate an attack?”  Notice I did not say prevent—nothing can do that, unfortunately.  One of the sureties of modern cybersecurity is that with enough time and effort, any system can be breached.  What you do to react to that, however, makes all the difference in the world.  You’ll notice that companies like Google, Netflix, and Amazon rarely make the news for data breaches compared to some other companies.  That’s because they know they’re huge targets, and they resource their cybersecurity sections accordingly.  They still have network breaches, but they have prepared enough to account for them and react.

Quote #3: If ignorant both of your enemy and yourself, you are certain to be in.

Knowing you’re a target is one thing; knowing why is something else entirely.  That knowledge helps you determine who might be after it, and knowing that helps you ascertain what sort of resources they can bring to bear against you.  Your off-brand pun based food blog is not likely to draw the attention of Russian intelligence services quite like a company with Department of Defense contracts, so the level of resources to pour into cybersecurity will differ dramatically.  Don’t sell yourself short though, I’m sure someone out there wants your secret family recipe.

The flip side of this is knowing yourself, and by that I mean your network.  If you don’t have a functional understanding of what you’re operating on, you’re not in a good position to defend it.  Imagine a king of olden times knowing an enemy is laying siege to his castle, but he hasn’t the foggiest idea where his city walls are or the men who are supposed to defend them.  Failing to understand your network means you’ll never be able to apply your resources effectively, either to proactive defense or efficient response.

Sun Tzu may have lived thousands of years ago, but his wisdom has proven timeless in war and a myriad of other fields he never could have imagined.  Cybersecurity is just one more area we can apply his lessons to, and a network warrior like yourself would do well to consider them.  Wax on, wax off, my friends.